Back to bug 2170243
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| Anten Skrabec | 2023-02-16 00:14:53 UTC | CC | apevec, bcl, bdettelb, eglynn, gtanzill, jjoyce, lhh, mburns, mgarciac, mminar, njohnston, nobody, rbiba, rhos-maint, scohen, spower, sskracic | |
| Anten Skrabec | 2023-02-16 00:20:15 UTC | Depends On | 2170267, 2170257, 2170252, 2170249, 2170263, 2170247, 2170245, 2170254, 2170251, 2170260, 2170265, 2170258 | |
| Anten Skrabec | 2023-02-16 00:25:34 UTC | CC | dfreiber, jburrell, rogbas, vkumar | |
| Anten Skrabec | 2023-02-16 00:25:41 UTC | Depends On | 2170269, 2170270, 2170271, 2170268 | |
| TEJ RATHI | 2023-02-16 06:50:32 UTC | Depends On | 2170317 | |
| Paige Jung | 2023-02-16 17:48:09 UTC | Doc Text | Browsers may allow "nameless" cookies that look like =value instead of key=value. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like =__Host-test=bad for another subdomain. Werkzeug <= 2.2.2 will parse the cookie =__Host-test=bad as __Host-test=bad. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. | A flaw was found in python-werkzeug. Browsers may allow "nameless" cookies like =value instead of key=value. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie for another subdomain. If a Werkzeug application is running next to a vulnerable or malicious subdomain that sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. |
| Sandro Mani | 2023-03-07 08:43:58 UTC | CC | manisandro | |
| Brian Lane | 2023-04-19 16:35:48 UTC | Doc Type | --- | If docs needed, set a value |
| Red Hat Bugzilla | 2023-07-07 08:33:46 UTC | Assignee | security-response-team | nobody |
Back to bug 2170243